Security
| ⚡ The Payroll Engine is a backend service and should not be used on the public Internet. |
|---|
The Payroll Engine server works locally with the HTTPS protocol. During setup, a developer certificate is installed on localhost.
To ensure multi-tenant capability, the backend server supports the HTTP header Auth-Tenant. If this header is present, it is compared with the tenant of the URL for each REST request.
verglichen.
Auth-Tenant: "MyTenantIdentifier"
The RESP API contains some request endpoints that allow data in the request body. For security reasons, these endpoints are not HTTP GET methods, but must be called as POST methods.
At the database level, the micro-ORM component Dapper prevents SQL Injections.
To use the web application, the user must log in. When logging in for the first time, the user must set a password, which can be changed in the user settings.
If the login name (User Identifier) exists in several clients, this must be selected beforehand. The login password is valid per client.
The web application uses the tenant authorization.
The web application distinguishes between the following user types
-
User- user of the web application with the features -
Employee- user of the web application and wage earner (self-employeement) -
Administrator- has only the possibility to manage the users -
Supervisor- can use all features without restriction
In the web application, the user type is indicated by the icon of the User Settings command.
The functionality of the web application is controlled by Features (Feature Toggles) that are assigned to the user. Features are managed by
- users of type
Administrator - users of type
Supervisor - users with the feature
Users
The EmployeeCases feature allows access to employee cases by displaying an additional page in the navigation. Some features, such as Forecast, extend the content of existing pages.
🤝 Thank you for supporting this project with a donation.
⚡ This is a pre-relase version of the initial development, please read the restrictions.
